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(54) Method of establishing a security policy, and apparatus for supporting establishment of 
security policy 

(57) There are provided a method of efficiently es- 
tablishing a security policy and an apparatus for sup- 

porting establishment of a security policy. According to 
a method of establishing a security policy in six steps, 
a simple security policy draft is first prepared. The se- 
curity policy draft Is adjusted so as to match realities of 
an organization, as required, thus completing a security 
policy stepwise. Therefore, a security policy can be es- 
tablished In consideration of a schedule or budget of the 
organization. 
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Description 

Background of the Invention 
Fieid of the Invention 



[0001 ] The present invention relates to establishment 
of a so-called security poilcy. More particularly, the 
present invention relates to a method which enables im- 
mediate establishment of a security policy suitable for 
an individual organization, as well as to an apparatus 
for supporting establishment of a security policy. 

Baclcground Art 

[0002] in association with development of infomnation 
technology, the importance of infomnation security In- 
creases. Every organization takes various measures for 
protecting internal Information. 

[0003] For example, a firewall is set at an Interface for 
establishing connection with an external networl^, there- 
by preventing unauthorized intrusion of the outsider Into 
an internal network of the organization, or unauthorized 
access to internal information. 

[0004] In orderto combat computer viruses orthe like, 
virus detection/combat software is employed for moni- 
toring computers disposed In the organization. Through- 
out the specification, the expression "organization" sig- 
nifies an enterprise, afederal or municipal agency, acor- 
poration such as a legally-incorporated foundation, or 
any other party or organized group. 
[0005] As mentioned above, various measures have 
hitherto been taken for ensuring information security. 
[0006] If such measures are independently or sepa- 
rately discussed or reviewed, ensuring the security level 
of the entire organization becomes difficult. 
[0007] For Instance, no matter how well a firewall is 
enhanced, if third parties can freely enter the organiza- 
tion's building and have an opportunity to operate a ter- 
minal, the security level of the entire organization Is con- 
siderably deteriorated. 

[0008] Even If virus detection software is used, If up- 
dating of software for opposing new viruses is neglect- 
ed, the software cannot combat newly created computer 
viruses. 

[0009] In order to enhance the infomiation security 
level of the entire organization, there must be devised 
a method for designing and implementing information 
security of the entire organization. Such a designing and 
Implementation method (or a group of designing and im- 
plementation methods) is generally called asecurity pol- 
icy. 

[0010] Various proposals concerning basic headings 
and contents for establishing a standard security policy 
have already been put forward as international guide- 
lines. As a matter of course, the headings and contents 
must be Individually tailored to the organization. 
[0011] Therefore, there still remains a necessity for 
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establishing a security policy on a per-organlzatfen ba- 
sis; security policies cannot be mass-produced. Thus, 
establishment of an Individual security poilcy involves 
consumption of much time and effort. 

5 [0012] Further, contents of a security policy must be 
changed with elapse of time. For instance, in a case 
where a corporate organizational structure has been 
changed, usage value and risk assessment of existing 
infomnation must be changed con^espondingly. 

10 [0013] A common method concerning establishment 
of a security policy and making periodic amendments to 
the security policy has not been known. For this reason, 
individual systems engineer has had to establish or 
amend a security poilcy through experience and guess 

is work. As a result, establishment of or making amend- 
ments to a security policy consumes an enomnous 
amount of manpower It Is assumed that amendments 
may fail to catch up with a change in the actual circum- 
stances (hereinafter called "reality") of an organization. 

20 [0014] It has often been seen that a wide difference 
arises between a security policy and the reality of an 
organization, thereby imposing difficulty in establishing 
and sustaining enhanced Infonnatlon security. 
[0015] The present invention has been conce).ved in 

2s light of the foregoing drawbacks of the background art 
and Is aimed at providing a method of efficiently estab- 
lishing a security policy, as well as an apparatus for sup- 
porting establishment of a security policy. 

90 Summary of the Invention 

[0016] To this end, the present Invention provides a 
method of establishing a security policy for a predeter- 
mined organization, the method comprising: 
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a draft preparation step of preparing a security pol- 
icy draft; 

an analysis step of examining a difference between 
the security policy draft and realities of the organi- 
zation; and 

an adjustment step of adjusting the security policy 
draft on the basis of the difference or adjusting op- 
eration rules of an actual information system be- 
longing to the organization on the basis of the dif- 
ference. 



[0017] By means of such a configuration, a security 
policy can be established stepwise, thereby enabling ef- 
ficient establishment of a security policy. 
so [0018] Preferably, the draft preparation step compris- 



es: 



a preparation step of preparing Inquiries to be sub- 
mitted to members of an organization; 
ss an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
members answers to the Inquiries; and 
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a drafting step of preparing a security policy draft 
on the basis of the answers. 

[0019] By means of such a configuration, a security 
policy draft can be prepared on the basis of inquiries. s 
[0020] Preferably, the preparation step involves prep- 
aration of inquiries on the basis of Job specifications of 
members to be Inquired. 

[0021] Since inquiries are prepared according to ajob 
specification of an member to be inquired, inquiries can 
be submitted efficiently. 

[0022] Preferably, the answer acquisition step in- 
cludes at least one of the steps of: 

integrating the answers acquired from a single 
member from among the acquired answers and 
storing the integrated answers into storage means 
as answers of a single member to be inquired; 
re-submitting inquiries to members if contradictory 
' answers are included in the answers, to thereby re- 
solve contradiction, and storing the answers into the 
storage means; and 

assigning weights to answers according to job 
specifications of the members to be inquired If con- 
tradictory answers are included in the answers, to 
thereby determine answers and store the answers 
into the storage means. 

[0023] Such a configuration enables integration of an- 
swers in a case where a plurality of inquirers separately 
submit inquiries to members to be inquired. 
[0024] Preferably, the analysis step comprises at 
least one of: 

a contradiction inspection step of inspecting wheth- 
er or not contradictory answers are included In the 
answers; 

a first difference detection step of inspecting a dif- 
ference between an information system virtually de- 
signed on the basis of the answers and the security 
policy by means of comparison; and 
a second difference detection step of verifying the 
: virtually-designed information system by means of 
examination of a real information system and in- 
specting a difference between the verified informa- 
tion system and the security policy draft by means 
of comparison. 

[0025] Such a configuration enables finding of contra- 
diction between answers and detection of a difference 
between a real infomiation system and a security policy. 
[0026] Preferably, the method of establishing a secu- 
rity policy further comprises a measurement step of de- 
vising measures addressing the inspected difference, in 
cdnjunction with the priority of the measures. 
[0027] Such a configuration enables devising of 
measures with assigned priorities. 
[0028] Preferably, the method of establishing a secu- 



rity policy further comprises a diagnosis step of diagnos- 
ing the security state of the organization, wherein a re- 
sult of diagnosis pert onned in the diagnosis step is sub- 
mitted to the organization, wherewith the organization 
can become conscious of a necessity for a security pol- 
icy. 

[0029] Such a configuration enables ascertainment of 
security status of the organization. 
[0030] Preferably, the method of establish ing a secu- 
rity policy further comprises a priority planning step of 
planning, in sequence of priority, implementation with 
priority of the security measures which have been de- 
vised, thereby embodying a budget of the organization. 
[0031] Such a configuration enables implementation 
of security measures in a premeditated manner, thereby 
facilitating preparation of a budget. 
[0032] Preferably, the security measures comprise 

Introduction and testing of a security system; 
training for compelling members respect a security 
policy; 

analysis of system togs; 
monitoring of a network; 

auditing operations on the basis of the security pol- 
icy; and 

reviewing the security policy. 

[0033] Since the security measures involve train ing of 
members as well as Introduction of Infonnation security 
equipment, thereby enabling attainment of a higher de- 
gree of information security. 

[0034] Preferably, the method of establish Ing a secu- 
rity policy further comprises a security enhancement 
measures implementation step of implementing the se- 
curity measures in accordance with the plan. 
[0035] Such a configuration enables smooth imple- 
mentation of security measures. 
[0036] The present Invention also provides a method 
of establishing a security policy comprising: 

a preparation step of preparing Inquiries to be sub- 
mitted to members of an organization; 
an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
an establishment step of establishing a security pol- 
icy on the basis of the answers. 

[0037] By means of such a configuration, a security 
policy draft can be prepared on the basis of Inquiries. 
[0038] Preferably, the p reparation step in vo Ives prep- 
aration of inquiries on the basis of job specifications of 
members to be inquired. 

[0039] Since Inquiries are prepared according to ajob 
specification of an member to be Inquired, inquiries can 
be submitted efficiently. 

[0040] Preferably, the answer acquisition step In- 
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eludes at least one of the steps of: 

integrating the answers acquired from a single 
mennber from among the acquired answers and 
storing the Integrated answers into storage means 
as answers of a single member to be inquired; 
re-submitting Inquiries to members If contradictory 
answers are Included in the answers, to thereby re- 
solve contradiction, and storing the answers Into the 
storage means; and 

assigning weights to answers according to Job 
specifications of the members to be Inquired if con- 
tradictory answers are Included in the answers, to 
thereby detemiine answers and store the answers 
into the storage means. 

[0041 ] Such a configuration enables integration of an- 
swers in a case where a plurality of inquirers separately 
submit inquiries to members to be inquired. 
[0042] Preferably, the establishment step involves es- 
tablishment of three types of security policies; namely 

an executive-level security policy which describes 
the organization's concept and policy conceming In- 
fonnation security in confomiity with global guide- 
lines; 

a corporate-level security policy which describes an 
Information security system embodying the execu- 
tive-level security policy; and 
a product-level security policy which describes 
measures to Implement the executive-level security 
policy with reference to the corporate-level security 
policy. 

[0043] Since three types of security policies are es- 
tablished, a hierarchical security policy can be obtained. 
Here, the measures to Implement the executive-level 
security policy with reference to the corporate-level se- 
curity policy includes operation rules for utilizing the se- 
curity policies, as well as hardware and software. 
[0044] Preferably, the corporate-level security policy 
includes two types of corporate-level security policies; 
namely, 

a top-level security policy describing standards for 
the Inf onnation security system of the overall organ- 
ization; and 

a sub- level security policy describing standards for 
individual units constituting the information security 
system of the organization. 

[0045] Such a configuration clarifies a security policy 
for the entire organization and a security policy for indi- 
vidual pieces of equipment. Here, equipment Is a con- 
cept including networks, hosts, and applications. 
[0046] Preferably, the product-level security policy In- 
cludes two types of product-level policies; namely, 



a first-level security policy described in natural lan- 
guage; and 

a second-level security policy describing settings of 
individual devices constituting the inf onnation secu- 
s rity system. 

[0047] The first-level product-level security policy en- 
ables a human to understand a security policy. The sec- 
ond-level product-level security policy facilitates setting 
10 of individual equipment. Here, equipment includes both 
hardware and software constituting the Infomiation se- 
curity system. 

[0048] Preferably, the analysis step comprises 

a contradiction inspection step of Inspecting Aeth- 
er or not contradictory answers are Included In the 
answers; and 

a difference detection step of Inspecting whether or 
there Is a difference between an information system 
virtually designed on the basis of the answers and 
a real information system of the organization. 

[0049] Such a configuration enables efficient detec- 
tion of contradiction or difference. 
[0050] Preferably, the method of establishing a secu- 
rity policy further comprises a measurement step of de- 
vising measures addressing the inspected differehce, in 
conjunction with the priority of the measures. 
[0051] Since measures are devised in conjunction 
with priorities thereof, planning for Implementing Infor- 
mation security Is facilitated. 

[0052] The present Invention also provides an appa- 
ratus of establishing a security policy comprising: 

inquiry preparation means of preparing inquiries to 
be submitted to members of an organization; 
storage means for storing answers to the inquiries; 
answer archival storage means for acquiring from 
the members the answers to the inquiries and stor- 
ing the answers Into the storage means; and 
establishment means for establishing a security 
policy on the basis of the answers stored in the stor- 
age means. 

[0053] Since Inquiries to be submitted to members are 
prepared, Inquiry operations are facilitated. Here, the 
expression "member" signifies any individual associat- 
ed with an information system of the organization. 
Therefore, members include part-time employees and 
employees of affiliated corporations, as well as employ- 
ees of an organization of interest. 
[0054] Preferably, the Inquiry preparation means pre- 
pares inquiries to be submitted to the members to be 
inquired, on the basis of job specifications of the mem- 
bers to be Inquired. 

[0055] Since inquiries are prepared according to a job 
specification of an member to be inquired, Inquiries can 
be submitted efflcientiy. 
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[0056] Preferably, the answer archival storage means 

Integrates the answers acquired from a single mem* 
ber from among the acquired answers and stores 
the Integrated answers into the storage means as 
answers of a single member to be inquired; or 
re-submits inquiries to members if contradictory an- 
swers are Included In the answers, to thereby re- 
solve contradiction, and stores the answers into the 
storage means; or 
': assigns weights to answers according to job spec- 
ifications of the members to be inquired if contra- 
dictory answers are included In the answers, to 
thereby detemilne answers, and stores the answers 
into the storage means. 



a first-level security policy described in natural lan- 
guage; and 

a second-level security policy describing settings of 
individual devices constituting the inf omnation secu- 
5 rity system. 

[0063] The first-level product-level security policy en- 
ables a human to understand a security policy. The sec- 
ond-level product-level security policy facilitates setting 
10 of individual equipment. Here, equipment Includes both 
hardware and software constituting the Information se- 
curity system. 

[0064] The present invention also provides a method 
of assessing the state of security of an organization, the 
IS method comprising: 



[0057] Such a configuration enables Integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of inquirers separately submit In- 
quiries to members to be Inquired. 
[0058] Preferably, the establishment means estab- 
lishes three types of security policies; namely, 

an executive-level security policy which describes 
the organization's concept and policy concerning In- 
formation security In confomriity with global guide- 
lines; 

a corporate-level security policy which describes an 
infonmation security system embodying the execu- 
tive-level security policy; and 
a product-level security policy which describes 
measures to implement the executive-level security 
policy with reference to the corporate-level security 
policy. 

[0059] Since three types of security policies are es- 
tablished, a hierarchical security policy can be obtained. 
Here, the measures for Implementing the executive-lev- 
el security policy with reference to the coiporate-level 
security policy include operation rules for utilizing the 
security policies, as well as hardware and software. 
[0060] Preferably, the corporate-level security policy 
Includes two types of corporate-level security policies; 
namely, 

^ a top-level security policy describing standards for 
the infomiation security system of the overall organ- 
ization; and 

a sub-level security policy describing standards for 
individual units constituting the information security 
system of the organization. 

[0061 ] Such a configuration clarifies a security policy 
for the entire organization and a security policy for Indi- 
vidual pieces of equipment. Here, equipment Is a con- 
cept including networks, hosts, and applications. 
[0062] Preferably, the product-level security policy In- 
cludes two types of product-level policies; namely, 



an Inquiry preparation step of preparing inquiries to 
be submitted to members of an organization; 
an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
a security state assessment step of assessing the 
state of security on the basis of the answers. 

[0065] By means of such a configuration, the security 
State of an organization can be ascertained on the basis 
of answers to inquiries. 

[0066] Preferably, the inquiry preparation step in- 
volves preparation of inquiries on the basis of Job spec- 
ifications of members to be inquired. 
[0067] Since Inquiries are prepared according to a Job 
specification of an member to be inquired, inquiries can 
be submitted efficiently. 

[0068] Preferably, the answer acquisition step in- 
volves integration of previous answers and acquired an- 
swers in a case where the answers are provided by a 
member to be inquired who has provided answers be- 
fore, and Involves storage of the integrated answers into 
storage means as answers from a single member to be 
inquired. 

[0069] Such a configuration enables Integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of inquirers submit separately in- 
quiries to members to be inquired. 
[0070] Preferably, the assessment of a security state 
includes 

assessment of security of the organization; 
assessment of security of the other organizations 
included in an industry to which the organization 
pertains; and 

the highest security assessment which is consid- 
ered to be attainable by organizations In the indus- 
try to which the organization pertains. 

[0071] Such a configuration enables assessment of 
an organization in comparison with similar organiza- 
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tlons. Further, display of a theoretical highest value fa- 
cilitates setting of a goal to be attained. 
[0072] Preferably, the assessment of a security state 
includes scores assigned to the following items; namely, 

understanding and attitude concerning security; 
a security system of the organization; 
a response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

[0073] Such a configuration enables an organization 
to ascertain assessment of Information security on a 
per-rtem basis. 

[0074] The present invention also provides an appa- 
ratus for assessing the state of security of an organiza- 
tion, the apparatus comprising: 

preparation meansfor preparing Inquiries to be sub- 
mitted to members of an organization; 
storage means for storing answers to the inquiries; 
answer archival storage means for acquiring the an- 
swers to the inquiries from the members and storing 
the answers Into the storage means; and 
security effectiveness preparation means for pre- 
paring a security effectiveness report representing 
the degree of completeness of security, on the basis 
of the answers stored in the storage means. 

[0O75] Inquiries are submitted to members, and an or- 
ganization can ascertain its security on the basis of an- 
swers to the Inquiries. 

[0076] Preferably, the preparation means prepares in- 
quiries to be submitted to the members to be inquired, 
on the basis of job specifications of the members to be 
inquired. 

[0077] Since inquiries are prepared according to a Job 
specification of an member to be inquired, Inquiries can 
be submitted efficiently. 

[0078] Preferably, the answer archival storage means 
Integrates previous answers and acquired answers in a 
case where the answers are provided by an member to 
be inquired who has provided answers before, and 
stores the integrated answers Into the storage means 
as answers from a single member to be inquired. 
[0079] Such a configuration enables integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of Inquirers submit separately In- 
quiries to members to be Inquired. 
[0080] Preferably, the security effectiveness report in- 
cludes 

the degree of completeness of the organizations se- 
curity; 

the degree of completeness of security of other or- 
ganizations included in an industry to which the or- 
ganization pertains; and 

the highest degree of completeness of security 



which Is considered to be attainable by organiza- 
tions in the industry to which the organization per- 
tains. 

s [0081] Such a configuration enables assessment of 

an organization in comparison with other organizations. 

Further, display of a theoretical highest value facilitates 

setting of a goal to be attained. 

[0082] Preferably, the security effectiveness report in- 
^0 eludes scores assigned to the following items; namely, 

understanding and attitude concerning security; 
a security system of the organization; 
response to unexpected accidents; 
IS preparation of a budget for security; and 
measures to Improve security. 

[0083] Such a configuration enables an organization 
to ascertain assessment of information security on a 
20 per-item basis. 

[0084] The present invention also provides an analyz- 
er for analyzing a difference between a security policy 
and an Information system of an organization, compris- 
ing « 

25 

contradiction Inspection means for inspecting 
whether or not contradiction exists between Individ- 
ual answers in response to inquiries submitted to 
members of the organization; and 
30 contradiction output means for outputting infomna- 
tion about the inspected contradiction. 

[0085] Such a configuration enables ascertainment of 
contradiction included in answers. 
35 [0086] Preferably, the analyzer for analyzing a differ- 
ence between a security policy and an informatlcSn sys- 
tem of an organization further comprises 

matching means for matching the answers by 
^0 means of elimination of contradiction on the basis 
of the infonnation about contradiction, thus produc- 
ing answers free of contradiction; 
establishment means for virtually establishing an in- 
fonnation system for the organization on the basis 
of the answers produced by the matching means; 
and 

difference output means for outputting a difference 
between the configuration of the virtually-estab- 
lished infonnation system and a security policy, by 
so means of comparison. 

[0087] Such a configuration enables ascertainment of 
a difference between a security policy and realities of 
an organization. 
55 [0088] Preferably, the analyzer for analyzing a differ- 
ence between a security policy and an infonnation sys- 
tem of an organization further comprises 
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real system input means for examining the informa- 
tion system of the organization and entering the 
configuration of the infomnation system; and 
difference output means which verifies the virtually- 
established information system by reference to the 
configuration of the infomiation system and outputs 
a difference between a security policy and the con- 
figuration of the virtually-established Information 
system which has been verified, by means of com- 
parison . 

Such a configuration enables comparison between 
an information system which has been verified by 
means of actual examination of an information sys- 
tem and a security policy, thereby enabling accurate 
analysis of a difference. 

Brief Description of the Drawings 

[0089] 

FIG. 1 is a flowchart representing the principle of a 
business model according to a preferred embodi- 
ment of the present invention; 
FIG. 2 Is a block diagram showing the configuration 
of an appraisal device; 

FIG. 3 is a flowchart representing preparation of an 
. appraisal report; 

• FIG. 4 Is a blocic diagram showing the configuration 
of an apparatus for preparing a security policy draft; 
FIG. 5 is a flowchart showing establishment of a se- 
curity policy draft through use of a security policy 
draft establishment apparatus; 
FIG. 6 is a listing of types representing job specifi- 
cations; 

FIG. 7 is a block diagram showing the configuration 
of an analyzer; and 

FIG. 8 is a flowchart showing operations pertaining 
to inspection and analysis of a system operation. 

Dietailed Description of the Preferred Embodiment 

[0090] A preferred embodiment of the present inven- 
tion will now be described herelnbelow by reference to 
the accompanying drawings. 

[0091 J There will be described a business model con- 
cerning a round of operations from establishment of a 
security policy of _a certain organization to maintenance 
of the security policy. Preferably, the business model is 
generally Implemented by a system engineer through 
use of a predetermined expert system. 
[0092] The principle of the business model according 
to the present embodiment will first be described. FIG. 
1 shows a flowchart representing the principle of such 
a business model. As illustrated by the drawing, the 
business model according to the present invention Is ba- 
sically made up of the following six steps. 

Step 1 : Assessment of security effectiveness 



Step 2: Preparation of a security policy draft 
Step 3: System, and Inspection and analysis of the 
system 

Step 4: Coordination between a policy and rules 
Step 5: Priority Planning 

Step 6: Implementation of measures to enhance se- 
curity. 

[0093] According to the security establishment meth- 
od consisting of six steps, an inten/iew-based security 
policy draft Is first established. If necessary, the security 
policy draft is re-adjusted so as to reflect the reality of 
an organization. Since the security policy is completed 
stepwise, the security policy can be established in ac- 
cordance with the schedule or budget of an organiza- 
tion. 

[0094] Step 1 is for evaluating the current state of in- 
formation security of an organization. Through assess- 
ment of Infomiation security, the organization can ascer- 
tain the current state of its information security. 
[0095] Step 2 is for preparing an elementary security 
policy draft by means of submitting inquiries to members 
of the organization. The security policy draft Is prepared 
by means of simple interview, and hence a security pol- 
icy can be prepared at relatively low cost. 
[0096] Step 3 is for reviewing a difference between 
the security policy draft and the reality of the organiza- 
tion. Since the security policy draft is prepared on the 
basis of mere answers to the inquiries, a difference may 
arise between the security policy draft and the reality of 
the organization. 

[0097] Step 4 is for adjusting, in accordance with a 
difference, a security policy or rules about security prod- 
ucts which have already been introduced. 
[0098] Step 5 is for establishing a future infonmatlon 
security plan, taking into consideration precedence in 
adopting means or measures. 
[0099] Step 6 is for performing required security pro- 
tection measures according to the information security 
plan. 

[0100] Since the security policy is established step- 
wise as mentioned above, a security policy can be es- 
tablished in accordance with realities of each organiza- 
tion; that is, the budget or concept of each organization. 
[0101] For instance, asecurity policy draft may be suf- 
ficient for a small-scale organization. Priority planning 
makes a future plan specific, and hence there will be 
yielded an advantage of easy development of a budget 
for the organization. 

[01 02] The dominant steps of the business model ac- 
cording to the present embodiment reside partlcuiariy in 
steps 2 through 4. in step 2, an elementary security pol- 
icy draft is prepared. In step 3, a difference between the 
security policy draft and the realities of an organization 
is analyzed. In step 4, a security policy or rules for se- 
curity products which have already been introduced are 
adjusted. So long as a business model includes at least 
steps 2 through 4, the business model enables system- 
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atic establishment of a security policy. Such a business 
model enables an Increase In productivity and quality 
relative to a conventional method based on experience 
and intuition. 

[0103] In order to implement such stepwise establish- 
ment of a security policy, various expert systems are 
used in the present embodiment. 
[0104] Steps 1 through 6 will now be described Indi- 
vidually, including a method of using expert systems. 

A. Step 1 : Assessment of security effectiveness 

[0105] In this step, effectiveness of current informa- 
tion security of an organization is objectively assessed. 
Through such an appraisal, the organization can be rat- 
ed in temis of security. More specifically, assessment of 
infonnatlon security Is performed by means of preparing 
the security effectiveness appraisal report. 
[0106] In the present embodiment, security effective- 
ness is assessed on the basis of a Software Capability 
Maturity Model developed by Camegie Mellon Univer- 
sity in the U.S. According to this model, security effec- 
tiveness is quantitatively assessed with regard to five 
headings. In other words, scores are assigned tor each 
of the five headings. 

[0107] The five headings are as follows: 

a: Comprehension and posture of an administrator 

regarding information security 

b: Security status of an organization 

c: Response to an unexpected disaster 

d: Budgeting for security 

e: Measures to improve security 

[0108] Here, an unexpected disaster mean an event 
which threatens information security; for example, a 
wiretapping activity orf aulty operation of equipment. En- 
try "c"; I.e., response to unexpected disaster, represents 
whether or not the organization can address unexpect- 
ed disaster. Entry "d"; I.e., budgeting for security, repre- 
sents whether or not a sufficient budget is ensured for 
Information security. Entry "e"; i.e. , measures to Improve 
security, represents the extent to which a schedule or 
plan for security Improvement Is made. 
[0109] In the present embodiment, an effectiveness 
assessment report is prepared with regard to the above- 
described five headings, and Includes scores. By means 
of such a report, the current security status of an organ- 
ization can be ascertained. 

[01 10] A specific method of preparing the security ef- 
fectiveness assessment report will now be described. 
[01 1 1] In the present embodiment, inquiries are sub- 
mitted to the organization's members, and an effective- 
ness assessment report is prepared on the basis of an- 
swers to the inquiries. More specifically, an appraisal de- 
vice 10 shown in FIG. 2 performs preparation of inquir- 
ies, collection of answers, and preparation of the secu- 
rity effectiveness assessment report. FIG. 3 shows a 



flowchart representing operations for preparing the se- 
curity effectiveness assessment report. The flowchart 
shown In FIG. 3 shows, In more detail, processing per- 
taining to step S1-1 shown In FIG. 1. 

5 [0112] As shown in FIG. 2, the appraisal device 10 
has inquiry preparation means 12 for preparing inquiries 
to be subrtiitted to an employee to be inquired, on the 
basis of his Job specifications. For Instance, sub[nltting 
an Inquiry about a virus inspection program to the CEO 

10 is rather meaningless. Further, if an Inquiry about a 
budget for information security Is submitted to a member 
who has recently joined the organization, acquisition of 
a meaningful answer is unlikely. 
[0113] For these reasons, the inquiry preparation 

IS means 12 extracts from storage means 14 inquiries to 
be submitted, In accordance with job specifications of 
the member to be Inquired. A variety of Inquiries are 
stored beforehand in the storage means 14, and the In- 
quiry preparation means 12 extracts inquiries required 

20 for a member to be inquired. . 
[0114] The present embodiment is characterized In 
that Inquiries are changed In accordance with Job spec- 
ifications of an Individual member. As a result, prepara- 
tion of Inquiries suitable for a member to be Inquired be- 

25 comes feasible. 

[0115] In more detail, a so-called course of Inquiries 
is determined In accordance with Job specifications of a 
member. Inquiries to be submitted in each course are 
changed In response to an answer submitted by a mem- 

30 ber. For example, If in response to an Inquiry about use 
of VPN a member has answered that VPN is not used, 
detailed Inquiries about VPN are skipped. In contest, If 
the mennber has answered that VPN Is used, detailed 
inquiries about VPN are submitted to the member. 

35 [01 16] Such a control operation is implemented by uti- 
lization of, a so-called knowledge-based expert system. 
[0117] The appraisal device 10 has answer archh/al 
storage means 1 6. Answers submitted by members in 
response to inquiries which have been prepared in the 

40 manner as mentioned above are supplied to the answer 
archival storage means 1 6. The answer archival storage 
means 16 preserves answers in the storage means 14. 
[0118] The present embodiment is also characterized 
in that the answer archival storage means 16 has an 

45 answer integration function. In a case where Inquiries 
are submitted by a plurality of systems engineers, an- 
swers to the inquiries are collectively stored in the stor- 
age means 1 4 according to the answer integration func- 
tion. In a case where a large number of members are to 

50 be Inquired, answers can be Immediately acquired by 
means of a plurality of systems engineers sharing the 
load of submitting Inquiries to the members through in- 
terview. In such a case, the resultant answers are accu- 
mulated in a plurality of computers. Therefore, these an- 

55 swers must be integrated Into a single database, 

[0119] As a matter of course, the answer integration 
function can be utilized for Integrating answers submit- 
ted by a single member to be Inquired as a result of in- 
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quiries having been submitted to the member and an- 
swers having been acquired from the member on sev- 
eral occasions, for reasons that submitting inquiries to 
the member and receiving answers to the Inquires from 
the member could not be performed on a single occa- 
sion. 

[01 20] The appraisal device 1 0 has security effective- 
ness preparation means 1 8, which prepares the security 
effectiveness report, or an assessment report about In- 
formation security of an organization, on the basis of the 
group of answers stored in the storage means 14. 
[0121] This appraisal device 1 0 is a so-called expert 
system. 

[0122] As mentioned above, particularly In the 
present embodiment, inquiries are changed according 
to Job specifications, and there Is also employed the ap- 
praisal device 10 having the function of integrating col- 
lected answers. Consequently, the security effective- 
ness assessment report can be prepared efficiently and 
precisely. 

[0123] By reference to the flowchart shown In FIG. 3, 
there will be described an operation for preparing the 
security effectiveness assessment report. 
[0124] In step S3-1, job specifications of a member 
who is an member to be inquired are supplied to the in- 
quiry preparation means 1 2, and inquiries to be submit- 
ted to the member are prepared. 
[0125] In step S3-2, a systems engineer submits the 
thus-prepared inquiries to the member. 
[0126] In step S3-3, answers to the inquiries are ac- 
quired from the member and delivered to the answer ar- 
chival storage means 16 of the appraisal device 10. As 
scft forth, the answer archival storage means 1 6 has the 
answer integration function and sends the answers to 
the storage means 14 after having integrated them into 
a single database. The group of answers acquired by a 
plurality of systems engineers are integrated into a sin- 
gle database by means of the answer Integration func- 
tion, and the single set of data can be stored in the stor- 
age means 14. 

Integration Function 

[0127] An Integration function includes the following 
features: 

(1) A plurality of systems engineers separately con- 
duct interviews with individual members and collect 
the resultant answers. For Instance, If a plurality of 
systems engineers conduct an interview with a sin- 
gle member, the resultant answers are Integrated 
into a single database. More specifically, a series of 
inquiries of the same type are submitted to a plural- 
ity of members, and the resultant answers are inte- 
grated into a single database. 
■! (2) There may be a case where a single Inquiry is 
submitted to different members through interviews. 
In such a case, a contradiction may arise In an- 



swers. There are two measures to eliminate the 
contradiction. A first measure is a re-interview. In 
the event that respondents have submitted incor- 
rect answers with regard to the contradiction, it is 

5 thought that such a contradiction can be resolved 
by means of conducting a re-interview or Inspection 
(or both) . A second measure is to determine an- 
swers by means of assigning weights to answers In 
accordance with the types (job specifications) of the 

10 members. 

[01 28] In the present embodiment, the user can freely 
select either the first measure or the second measure. 
If there Is a time to conducting a re-interview, the first 

^5 method is preferable. In contrast, if too many members 
are to be Interviewed, the second measure Is preferable. 
[0129] In step S3-4, the security effectiveness report 
preparation means 1 8 prepares the security effective- 
ness assessment report including scores assigned to 

20 five respective headings, on the basis of the group of 
answers stored In the storage means 14. 
[0130] As mentioned above, the security effective- 
ness assessment report is prepared through use of the 
appraisal device 10. 

25 

Comparison between Industry Standard and Scores 
Described In Security Effectiveness Assessment Report 

[0131] As mentioned previously, scores (points) are 

30 assigned to five respective headings described In the 
security effectiveness assessment report. 
[01 32] The present embodiment Is characterized par- 
tlculariy In that an average of scores assigned to ail the 
organizations and the highest score in an industry to 

3s which the organization pertains are displayed along with 
a score assigned to the security effectiveness assess- 
ment report. Here, the expression "highest score" is the 
top score (a theoretical value) which can be attained by 
any organization belonging to the industry. 

40 [0133] As a result, the ranl^ing of efforts made by the 
organization for ensuring information security in the in- 
dustry can be readily ascertained. Such a mean value 
and the maximum value in an Individual Industry are 
stored in the storage means 1 4 beforehand. Further, an 

45 average value is updated every time assessment of se- 
curity effectiveness is performed, to thereby calculate 
scores to be assigned to a certain organization. 

Consideration of Geographical Factor 

50 

[0134] In the present embodiment, inquiries which 
take into consideration geographical factors are also in- 
cluded; for example, an inquiry as to whether the dom- 
inant maricet for products Is domestic or oversea or an 
55 Inquiry about the nationality of a dominant business 
partner. By means of such inquiries, effectiveness of in- 
formation security can be assessed in consideration of 
a geographical factor, that Is, a security difference be- 
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tween regions. 

Report on the Progress of Implementation of Security 
Measures 

[01 35] In tlie present embodiment, the security effec- 
tiveness assessment report is prepared to the effect that 
the status of information security of an organization is 
investigated prior to establishment of a security policy. 
However, so long as the security effectiveness report Is 
prepared during the course of sequential implementa- 
tion of measures for infomnation security, the progress 
of Implementing measures for infomnation security can 
be ascertained. Accordingly, a step of preparing the se- 
curity effectiveness report also serves as a step of re- 
porting the progress of implementation of security. 
[0136] In the appraisal device 10 according to the 
present embodiment, ail the inquiries and correspond- 
ing answers are stored in the storage means 14. How- 
ever, it may be the case that inquiries are stored in one 
storage means and answers are stored in another stor- 
age means. 

B. Step 2: Preparation of Security Policy Draft 

[01 37] In this step, a simple security policy draft of an 
organization Is prepared. The draft corresponds to a se- 
curity policy based on answers are submitted by mem- 
bers of the organization in response to inquiries. Since 
an actual information system of the organization has not 
yet been investigated, a security policy cannot be es- 
tablished immediately. 

[0138] Various basic headings and contents used for 
establishing a standard security policy have already 
been Icnown as Intemational guidelines. These guide- 
lines are hereinafter called global guidelines, in the 
present embodiment, a security policy draft is prepared 
by means of extracting principles from the global guide- 
lines and combining the thus-extracted principles, as re- 
quired. 

[0139] In the present embodiment, a security policy 
draft preparation device 20 is used for preparing a se- 
curity policy draft. FIG. 4 is a blocl< diagram showing the 
configuration of the security policy draft preparation de- 
vice 20. 

[0140] As shown in FIG. 4, the security policy draft 
preparation device 20 has inquiry preparation means 22 
for preparing inquiries to be submitted to an member to 
be inquired, in accordance with Job specifications of the 
member to be inquired. Inquiries are changed In accord- 
ance with job specifications of a member to be Inquired 
for acquiring useful answers, as detennined by the in- 
quiry preparation means 12 of the appraisal device 1 0. 
[0141] A variety of inquiries are stored beforehand In 
storage means 24 provided in the security policy draft 
preparation device 20. as in the case of the storage 
means 14 shown In FIG. 2 . The Inquiry preparation 
means 22 extracts appropriate inquiries from the stor- 



age means 24 in accordance with job specifications of 
a member. 

[01 42] The security policy draft preparation device 20 
is further equipped with answer archival storage i^ieans 

5 26. The answer archival storage means 26 stores an- 
swers Into the storage means 24, as does the answer 
archival storage means 1 6. Further, the answer archival 
storage means 26 has an answer Integration function, 
as does the answer archival storage means 16. 

10 [0143] The security policy draft preparation device 20 
has draft preparation means 28 for preparing a security 
policy draft. The draft preparation means 28 prepares a 
security policy on the basis of the group of answers 
stored in the storage means 24. 

IS [0144] The security policy draft preparation device 20 
is a so-called expert system, as Is the appraisal ibevlce 
10. in fact, the previously-described individual means 
are preferably embodied as software which is executed 
on a computer. 

20 [0145] By reference to a flowchart shown in FIG. 5, 
there will be described an operation for preparing a se- 
curity policy draft. FIG. 5 shows aflowchart representing 
an operation for preparing a security policy draft through 
use of the security policy draft preparation device 20. 
25 [0146] In step S5-1. job specifications of members 
who are to be inquired are supplied to the inquiry prep- 
aration means 22, and inquiries are submitted ^to the 
members. 

[0147] As set forth, in the present embodiment, inquir- 
30 les to be prepared are determined in accordance with 
Job specifications of the members. Consequently, ap- 
propriate inquiries to be submitted to members to be in- 
quired can be prepared. 

[0148] A so-called course of inquiries is determined 
35 in accordance with job specifications of a member. Ac- 
tual inquiries to be submitted in each course are 
changed in response to an answer submitted by a mem- 
ber. For example, if in response to an inquiry about use 
of VPN a member has answered that VPN is not used, 
^0 detailed Inquiries about VPN are skipped, in contrast, if 
the member has answered that VPN is used, detailed 
inquiries about VPN are submitted to the member 
[0149] Such acontrol operation is Implemented by uti- 
lization of , a so-called knowledge-based expert system. 
45 [0150] in step S5-2, the thus-prepared inquiries are 
submitted to members. 

[01 51 ] in step S5-3. answers to the inquiries are sub- 
mitted by the members, and the answers are entered to 
the answer archival storage means 26 of the security 

so policy draft preparation device 20. Preferably, the an- 
swers are entered by system engineers. As a matter of 
course, there may be employed a fomi In which individ- 
ual members answer inquiries by way of a screen of the 
policy draft preparation device 20. The answer archival 

55 storage means 26 has an answer integration function, 
as mentioned above, and integrates answers acquired 
by a plurality of system engineers into a single database 
and stores the single database into the storage means 
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24. 

[0152] In step S5-4, on the basis of the group of an- 
swers stored in the storage means 24, the draft prepa- 
ration means 28 prepares a security policy draft by com- 
bination of various principles extracted from the global 
guidelines. 

[01 53] As set forth, a security policy draft is prepared 
through use of the security policy draft preparation de- 
vice 20. 

[0154] in the present embodiment, there are prepared 
three types of (drafts of) security policy: that is, an ex- 
ecutive-level security policy (draft), acorporate-level se- 
curity policy (draft), and a product-level security policy 
(draft). These three types of security policy drafts will be 
described later in section B-5. 

B-1 : Inquiries (for an Interview) 

[0155] Inquiries (often called an 'inten/iew") will be 
described hereinbelow. 

[0156] Headings of an interview are as follows: 

1 . Enterprise 

2. Networic 

3. Sender and host 

!; 4. Application and database 

5. Security Items of great importance 

6. Items to be corrected 

[01 57] Individual headings will now be described. 
(1) Enterprise 

[0158] In connection with heading "enterprise," an in- 
tervlew Is conducted for the outline and system of an 
"enterprise, ** which is one typical type of organization. 
From answers to the inquiries, there can be derived an 
iniFormation security administration system, policy prin- 
ciples, and analysis of weaknesses. 
[01 59] Heading "enterprise" is followed by the follow- 
ing sub-headings. 

1.1 Management system 

1 .2 Employees 

1 .3 Outline of enterprise 

1 .4 Venders 

1 .5 Clients 

1 .6 Consultants 

1 .7 Outsourcing 

1 .8 Application 

1 .9 Network 

1 .10 Security profile 

1.11 Business category 

1 .12 Organization policy 

[0160] Inquiry headings may change according to Job 
specifications. For instance, inquiry heading "host" Is 
not provided for a chief executive officer. Thus, the 



present embodiment is characterized in that inquiries 
change according to job specifications. Thus, inquiries 
tailored to job specifications can be submitted to a mem- 
ber, thus enabling efficient conduct of an interview. 

5 

(2) Network 

[0161] In connection with heading "network," inquiries 
about the outline, operation, and settings of a networic 
10 are submitted through an interview. From answers to 
these inquiries, there can be derived the weaknesses of 
the networic, a corporate-level policy pertaining to the 
network, or the like. 

[0162] Themajority of agroup of inquiries about head- 
is ing "network" exert an influence on a corporate-level 
policy. However, some of the inquiries may affect a prod- 
uct-level policy. 

[0163] Heading "network" is followed by the following 
sub-headings. 

2.1 Operation environment 

2.2 Network properties 

2.3 Authentication and Identification 

2.4 Audit and logs 

2.5 Access control 

2.6 Modification procedures 

2.7 Disaster recovery 

2.8 Operation reliability 

2.9 Physical security 

2.10 Modem 

2.11 Workstation security 

(3) Server and host 

[0164] In connection with heading "server and host," 
inquiries about the outline, operation, and settings of a 
host are submitted through an interview. From answers 
to the inquiries, there are derived the weakness of a host 
and a corporate-level policy pertaining to a host and a 
server, 

[0165] The majority of inquiries about heading "sen/er 
and host" exert an influence on a corporate-level policy, 
and some of the inquiries may affect a product-level pol- 
icy. 

[0166] Heading "server and host" is followed by the 
following sub-headings. 

3.1 Properties of server and host 

3.2 Authentication and identification 

3.3 Audit and logs 

3.4 Access control 

3.5 Modification procedures 

3.6 Disaster recovery and back-up 

3.7 Operation reliability 

3.8 Physical security 
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(4) Application and database 
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6.4 Logs and audit 



[0167] In connection with heading "application and 
database," inquiries about the outline, operation, and 
settings of an application are submitted through an in- 
terview. From answers to the Inquiries, there are derived 
the weaknesses of an application and a corporate-level 
policy pertaining to an application. The majority of in- 
quiries about heading "application and database" exert 
an influence on a corporate-level policy, and some of 
the inquiries may affect a product-level policy. 
[0168] Heading ''application and database" is fol- 
lowed by the following sub-headings. 

4.1 Properties of appiication and database 

4.2 Authentication and Identification 

4.3 Audit and logs 

4.4 Access control 

4.5 IVIodiflcation procedures 

4.6 Disaster recovery and back-up 

4.7 Operation reliability 

4.8 Physical security 

(5) Security Items of great importance 

[0169] In connection with heading "security items of 
great importance," inquiries about Infomnation usually 
required for establishing afirewal! are submitted through 
an interview. From answers to the inquiries, there are 
derived a corporate-level policy and a product-level pol- 
icy. The majority of Inquiries about heading "security 
Items of great importance" exert an influence on a cor- 
porate-level policy and a product-level policy, and some 
of the inquiries may affect an executive-level policy. 
[0170] Heading "security items of great Importance" 
Is followed by the following sub-headings. 

5.1 Management of firewall 

5.2 Packet filtering 

5.3 NAT (network address transfer) 

5.4 SMTP content filtering 

5.5 FTP content filtering 

5.6 HTTP content filtering 

5.7 Logs and alert 

(6) Items to be corrected 

[0171] In connection with heading "items to be cor- 
rected," inquiries about infonnation usually required for 
establishing VPN are submitted through an Interview. 
From answers to the inquiries, there are derived a cor- 
porate-level policy and a product-level policy. 
[01 72] Heading "items to be corrected" is followed by 
the following sub-headings. 

6.1 VPN properties 

6.2 VPN management 

6.3 Key delivery 
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B-2 Interview style 

[0173] Contents of an interview are as set forth, and 
the interview is conducted in any of various fomis, such 
as a description form or a multiple-choice. 

B-3 Interviewee 

[01 74] The security policy draft preparation device 20 
according to the present embodiment changes inquiries 
according to a member who Is an interviewee. In short, 
inquiries are controlled according to job specifications 
of an interviewee. 

[0175] Consequently, appropriate Inquiries to be sub- 
mitted to an interviewee can be prepared. 
[0176] In more detail, a so-called course of inquiries 
is determined in accordance with job specifications of a 
member. Inquiries to be submitted in each course are 
changed in response to an answer submitted by a mem- 
ber. For example, if in response to an inquiry about use 
of VPN a member has answered that VPN is not., used, 
detailed Inquiries about VPN are skipped. In contrast, if 
the member has answered that VPN is used, detailed 
Inquiries about VPN are submitted to the member. 
[01 77] Such a control operation is implemented by uti- 
lization of a so-called knowledge-based expert system. 
[0178] Prior to conduct of an actual interview, job 
specifications of an inten/iewee must be entered Into the 
security policy preparation device 20. More specifically, 
data pertaining to the following entries are Input. 

* Name 

• Department (division?) ^ 
•Title 

Postal Code 
Address 
Country 
Phone Number 
E-mail Address 
Type 

[0179] Of these entries, entries prefixed by asterisks 
are required entries. Here, the expression "type" de- 
notes a symbol representing a job specification. In the 
present embodiment, symbols shown In FIG. 6 are used 
for expressing a job specification. Simply put, the "type" 
denotes a job specification. Inquiries to be submitted are 
detennined on the basis of a type. A listing of types to 
be handled in the present embodiment is shown in FIG. 
6. 

[01 80] Inquiries which are actually submitted to an in- 
terviewee change according to answers. Such control 
of inquiries is perfonned on the basis of a knowledge- 
based operation. For instance, an inquiry about an "ex- 
piration date of a password" is not submitted to mem- 
bers who have answered that no expiration Is inriposed 
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on a password in response to an inquiry as to whether 
or not an expiration data is set for a password. In con* 
trast, an Inquiry about an expiration date of a password 
may be submitted to members who have answered that 
an expiration date is set for a password. s 

B-4 Infomiation Assets to be managed 

[01 81 ] I n the present embodiment, information assets 
for, which security must be ensured are classified into 
five categories; namely, network, host, application, user 
group, and others, in a case where information assets 
are entered into the security policy draft preparation de- 
vice 20 according to the present embodiment data per- 
taining to the following four entries are to be input. Here, 
In a case where Information assets belong to either cat- 
egory "host" or category "network," data pertaining to 
two additional entries; i.e., "IP address" and "sub-net 
mask," are to be entered. 

Asset (D 
•Asset type 
*Name of asset 
Details 

Of these entries, entry "asset type" covers five types. 

A application 
HHost 
N Network 
, 5. U User group 

W Others, including URL, domain names, and file 
names 

[01 82] The expression "user group" designates a log- 
ical set of users possessing a common characteristic. 
For example, users who handle, amend, analyze, and 
report accounting infonmation are collectiveiy called a 
"accounting group." Each user group is formed from one 
user or two or more users. The word "user" designates 
a human who uses information assets. 

B^5 Preparation of Security Policy Draft 

[01 83] A security policy is established by means of en- 
tering into the security policy draft preparation device 20 
answers to the foregoing inquiries. This device is a so- 
called expert system. By means of entry of answers to 
Inquiries into a system, the system produces and out- 
puts a security policy. Such a device which produces 
data of some kind in response to entry of answers to 
inquiries has already been known as an expert system, 
and hence its detailed explanation is omitted. 
[01 84] i n the present embodiment, three types of se- 
curity policies are produced; i.e., an executive-level se> 
curity policy a corporate- level security policy, and a 
product-level security policy. SImilariy, there are pre- 
pared three types of security policy drafts corresponding 



to the respective security policies. 

(1) Executive-level security policy 

[0185] An executive- level security policy consists of 
descriptions of the organization's "concepr and "policy" 
concerning security. 

[0186] An executive-level policy includes the follow- 
ing items. 

Access Control 

[0187] An owner of Information assets must manage 
and control the right to access Infomnation assets. In or- 
der to implement control of the access right, an access 
control mechanism of a control system used for preserv- 
ing or processing information assets must be used. Item 
"access control" describes the organization's concept 
and policy conceming control of the access right. 

Accuracy of Information 

[0188] Sustaining information contents is of extreme 
importance, because Information Is indispensable for 
making business decisions. Item "accuracy of informa- 
tion" describes the organization's concept and policy 
concerning the accuracy of Information content. 

Guarantee 

[0189] An organization must employ appropriate 
measures to ensure suitable safety of Infomnation re- 
sources or security. Item "guarantee" describes the or- 
ganization's concept and policy conceming measures 
to ensure safety. 

Accountability 

[0190] All systems must enable recording and analy- 
sis of user activities, and an Individual user must have 
responsibility for his own acts. Item "accountability" de- 
scribes the organization's concept and policy concern- 
ing personal responsibility of an individual user. 

Emergency Response Plan 

[0191] An organization must prepare a detailed plan 
and procedures for ensuring appropriate response to in- 
terference In a system and a network. Item "emergency 
response plan" describes the organization's concept 
and policy concerning a plan and procedures for re- 
sponse to an emergency. 

Awareness of Security 

[01 92] Top executives and other employees must be- 
come conscious of requirements for the organization's 
infomnation security, as well as of their personal respon- 
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sibilrty. Item "awareness of security" describes the or- 
ganization's concept and policy concerning personal re- 
sponsibility. 

Categorization of Infonnation 

[0193] Infomiation security Is for protecting Informa- 
tion assets. For this reason, Infonnation assets which 
are objects of protection must be categorized and ap- 
propriately protected according to categories. Item "cat- 
egorization of information" describes the organization's 
concept and policy concerning infonnation assets. 

Vocational Ethics 

[01 94] A user must handle Infonnation ethically. In the 
event a user handles infonnation is an unethical man- 
ner, the user will be subjected to sanction. In short, the 
user must be conscious that he may be subjected to 
sanction. Item 'Vocational ethics" describes the organi- 
zation's concept and policy concerning vocational ethics 
of a user. 

Document Management 

[0195] All security systems must be appropriately re- 
corded in documents. Item "document management" 
describes the organization's concept and policy con- 
cerning documentation. 

Investigation 

[0196] In the event of violation of the security policy, 
the organization must investigate the violation and doc- 
ument its details. Item "investigation" describes the or- 
ganization's concept and policy concerning Investiga- 
tion and documentation of violation of the security policy. 



organization's concept and policy concerning verifica- 
tion of security. 

Asset Assessment 

5 

[0200] An organization must analyze its infonnation 
assets. Item "asset assessment" describes the organi- 
zation's concept and policy concerning assessment of 
assets. 

10 

(2) Corporate-level Policy 

[0201] With regard to infonnation assets of an organ- 
ization, descriptions of the executive-level policy are ap- 

is plied to a corporate-level policy. The corporate-level pol- 
icy corresponds to descriptions of "operating proce- 
dures." The corporate-level policy is applied to each op- 
erating unit of the organization. Operating units are 
fonned by means of dividing constituent elements of an 

20 information system Into groups according to function. 
For example, a networic, a host, and an application are 
operating units. 

[0202] The executive-level policy describes the so- 
called "constitution" (dominant principles)" whereas the 
25 corporate-level policy describes "laws" (rules based on 
the dominant principle). 

[0203] The corporate-level policy is divided into two 
levels: i.e., atop-level policy and a sub-level policy. 

30 Top-Level Policy \: 

[0204] A top-level policy is a policy concerning all op- 
erating units which constitute the organization. For ex- 
ample, regulations are described for each operating 
3s unit. 

Networic 



Privacy 

[0197] Infonnation is to be used on the precondition 
that the privacy of concerned members is guaranteed. 
Item "privacy" describes the organization's concept and 
policy concerning privacy 

Risk Management 

[0198] An owner of infomiation must evaluate poten- 
tial risks and take appropriate measures to control and 
protect Information. Item "risk management" describes 
the organization's concept and policy concerning eval- 
uation of risks and measures to control and protect in- 
formation. 

Verification 

[01 99] An organization must periodically verify imple- 
mentation of security. Item "verification" describes the 



[0205] Item "networi<" describes regulations concern- 
ing the entire network of the organization. 

Host ^ 

[0206] Item "host' describes regulations concerning 
all hosts provided In the organization. 

Application 

[0207] Item "application" describes regulations con- 
cerning all applications employed In the organization. 

Sub-Level Policy 

[0208] The sub-level policy describes specific pblicies 
concerning individual units into which the operating 
units are further sub-divided. For example, the sub-level 
policy comprises descriptions pertaining to the following 
items. 
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Software Management 

[0209] Item "software management" describes regu- 
lations with regard to use of software in the organization 
and management of software licenses. s 

Dial-up 

[0210] Item "diai-up" describes regulations with re- 
gard to individual remote access servers employed in io 
the organization. 

Electronic Mail 

[0211] item "electronic mail** describes regulations is 
with regard to Individual E-mails accounts and messag- 
es In the organization. 

Firewall Management 

20 

[0212] item "firewall management" describes regula- 
tions with regard to management of individual firewalls 
used in the organization. 

Cryptography ^5 

[021 3] Item ''cryptography'* describes regulations with 
regard to implementation of individual cryptographic 
tools used In an organization. 

30 

Electronic Commerce 

[0214] Item "electronic commerce* describes regula- 
tions with regard to electronic transactions used in the 
organization. 

Network 

[0215] Item "network" describes regulations with re- 
gard to implementation individual networks employed in 40 
the organization. 

Host 

[0216] item "host" describes regulations with regard 
to implementation of individual hosts used In the organ- 
ization. 

Application 

so 

[0217] Item "application" describes regulations with 
regard to individual applications used in the organiza- 
tion. 

[0218] A top-level corporate-level policy is prepared 
on the basis of information (information derived from an- ss 
swers) collected from the chief information officer and 
managerial member through Inten/lews. Preparation of 
a top-level corporate-level policy does not involve con- 
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duct of an interview with the director of a system. Here, 
a director of a system Is a member who manages net- 
wori< segments, hosts, or application systems. 
[0219] The sub-level corporate-level policy involves 
the results of an interview conducted with a system ad- 
ministrator. To this end, a system-level interview must 
be conducted. The system-level interview Is an Inter- 
view by which Inquiries about Individual operating units 
are submitted to a system administrator 

(3) Product-level Policy 

[0220] A product-level policy describes specific 
"methods" to be used for protecting Information assets 
and the nature of resources (security products and op- 
erating systems) and settings thereof. The executive- 
level policy describes a policy and management rules, 
whereas the product-level policy refers to details of 
hardware and software. On the basis of the "principles" 
provided by the executive-level policy and the "specifi- 
cations" provided by the corporate-level policy, there is 
provided a specific "method" for embodying protection 
of Infomiation assets . Hence, the product-level policy 
Includes descriptions regarding implementation of spe- 
cific technology. 

[0221] The product-level policy includes descriptions 
about software and hardware, as well as specific rules 
for operating software and hardware. 
[0222] The product-level policy in nature receives lit- 
tle respect from members. For reasons of actual job per- 
fonnance, there may be a case where products to be 
used are changed, or a case where alternate equipment 
is used for reasons of equipment failure . Liability for 
such circumstances or product standards is left to the 
"principles" stipulated In the executive-level policy or to 
the "regulations" stipulated in the corporate-level policy. 
In other words, the executive-level policy or the corpo- 
rate-level policy must sufficiently specify measures 
against these circumstances. 

[0223] So to speak, the previously-described execu- 
tive-level policy states the principle; for example, a rule 
about a necessity for revoking an access right after com- 
pletion of a job requiring the access right. 
[0224] The corporate-level policy states specific 
rules; for example, a rule about a necessity for control- 
ling access by means of an operating system. 
[0225] In contrast, the product-level policy stipulates 
specific means; for example, a stipulation stating that 
"Administrator X controls an access to server A. A mem- 
ber who requires access to server A for business must 
request administrator X to issue an access right. After 
completion of the job, the member immediately requests 
administrator X to revoke the access right." 
[0226] In the present embodiment, there are two prod- 
uct-level policies. 

[0227] A first-level product policy is described in nat- 
ural language, as are the executive-level policy and the 
corporate-level policy. The foregoing examples belong 
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to the first-level product-level policy. 
[0228] A second-level product policy is a script file 
stating settings of specific systems. More specifically, 
the second-level product policy describes a setting 
script file of an individual system (including both hard- 
ware and software). Therefore, the second-level prod- 
uct policy can be used for setting a system, in its present 
forni. In the present embodiment, a specific script file of 
an individual system is prepared as a product-level pol- 
icy. Accordingly, there are yielded an advantage of alle- 
viating labor required for actually setting firewalls or 
routers. 



C. Step 3 : System, and Actual Inspection and Analysis 
of Operation of the System 



[0229] In this step, there is examined and analyzed a 
difference existing between the thus-prepared security 
policy draft, realities of an infomriatlon system, and a 
method of operating the Information system. Analysis Is 
performed for indicating proposed countemrieasures 
and priority thereof, as well as for finding a difference. 
[0230] Inspection and analysis to be performed in this 
step are made up of the following two levels. 

C-1 Level-1 Actual Inspection and Analysis 

[0231] A security policy draft is prepared on the basis 
of inquiries and answers thereto. In this process, varia- 
tions or contradiction between answers may arise. 
Moreover, answers are not necessarily correct. 
[0232] For these reasons, the following operations 
are performed during level-1 inspection and analysis. 
[0233] First, answers are examined as to whether or 
not contradiction arises among a plurality of answers. 
Further, there is performed a comparison between the 
security policy draft and an information system depicted 
from answers acquired by means of interviews. A com- 
parison is made between the security policy draft and 
the actual information system which has been verified 
through inspection, thereby detecting a difference. 
[0234] An infomiation system is actually inspected 
through use of an analyzer, which is an expert system. 
FIG. 7 is a block diagram showing the configuration of 
an analyzer 30. As can be seen from the drawing, the 
analyzer 30 has contradiction inspection means 32 for 
Inspecting whether or not contradiction arises in a group 
of answers. An inspection result Is supplied to contra- 
diction output means 40. 

[0235] The contradiction output means 40 outputs the 
Inspection result to the outside In the f onn of an Interview 
result contradiction report. 

[0236] Contents of the interview result contradiction 
report are supplied to matching means 41 . in a case 
where a contradiction between answers is found, the 
matching means 41 performs the operation that the user 
selects from the two operations provided below. 



(1) On the basis of job specifications of the mem- 
bers, the most probable answer is adopted by utili- 
zation of a knowledge-based expert system. 

(2) An interview is conducted again with regard to 
5 a contradiction, or realities of the information sys- 
tem are actually investigated. Altemativefy, both 
conduct of a re-interview and actual inspection of 
an infomnatlon system are desirably performed. 

10 [0237] Matched results (i.e., answers obtained as a 
result) of the interview are supplied to a virtual informa- 
tion system establishment means 34. ^ 
[0238] On the basis of a group of matched answers, 
the virtual inf onmation system establishment means 34 

f5 virtually establishes an Information system for the or- 
ganization. The configuration and operation of the Infor- 
mation system established by the virtual infomriatlon 
system establishment means 34 are supplied to differ- 
ence output means 38. 

20 [0239] The analyzer 30 has real system input means 
36 for entering the configuration and operation of an ac- 
tual infomiation system of the organization. The config- 
uration and operation of a real system entered t>y way 
of the real system input means 38 are supplied to the 

25 difference output means 38. 

[0240] Further, a security policy draft is supplied to the 
difference output means 38. By means of the foregoing 
configuration, the difference output means 38 performs 
the following two comparison operations, thereby de- 

30 tecting and outputting respective differences. 



(1) Analysis of a difference between a security pol- 
icy draft and the result of an interview. 

(2) Analysis of a difference between a security pol- 
icy and an Interview result which has been verified 
by means of actual inspection. 



33 



[0241] Through analysis of a difference stated in (1), 
a security policy draft is compared with the infomriation 

40 system established by the virtual information system es- 
tablishment means 34. Both the security policy draft and 
the information system are prepared on the basis of re- 
sults (answers obtained as a result) of interviews con- 
ducted with the members. Therefore, it Is thought that 

^ no substantial difference is found as a result of compar- 
ison. Here, minimum requirementsfor drafting a security 
policy must be provided. 

[0242] For example, in a case where answers to in- 
terviews state that "a password is unlimltedly valid." the 

50 security policy is not allowed to make a password un- 
limltedly valid. Expiration of a password is a fundamen- 
tal requirement of the security policy. A security policy 
without such a requirement does not merit being called 
a security policy. 

S5 [0243] For this reason, a difference exists between a 
security policy draft and interview results. A detected dif- 
ference is output as an analysis report. 
[0244] By means of this analysis report, portions of 
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interview results which are to be amended in terms of 

security policy can be found. 

[0245] During analysis of a difference stated In (2), a 
security policy draft is compared with the established vir- 
tual information system which has been verified by 
means of actual Inspe^lon. 

[0246] As mentioned above, the virtual information 
system Is established on the basis of only interview re- 
sults. Therefore, so long as the virtual information sys- 
tem which has been verified through use of an actual 
information system is compared with a security policy 
draft, points of the actual infomnation system which are 
to be amended can be ascertained more clearly. 
[0247] The more accurate an actual Inspection con- 
ducted for the purpose of verification, the more prefer- 
able an Inspection result. Investigation of the entire In- 
fomiation system consumes much time and effort and 
makes interviews meaningless. 
[0248] For these reasons, investigation of an actual 
Inifomnation system Is perfomned as a supplement to the 
answers obtained through the Interviews. An efficient 
way of attaining this Is to verify the virtual Information 
system and analyze a difference between the thus-ver- 
ified information system and the security policy. 
[0249] For example, emphasizing investigation of a 
contradiction between answers Is preferable. An alter- 
native is emphasizing investigation of an Inquiry for 
which a member (i.e., Interviewee) could not answer due 
to forgetfulness. 

[0250] The extent to which an investigation is to be 
performed should be determined on the basis of a re- 
quired accuracy, time limit, and costs. The thus-deter- 
mined difference is output as an analysis report. 
[0251] Either comparison (1) or (2) or both may be 
perfoHDed. Preferably, if an insufficient result Is obtained 
as a result of implementation of comparison (1), com- 
parison (2) is performed. 

[0252] Preferably, higher-priority portions are subject- 
ed to actual inspection, In consideration of the priority 
determined as a result of level-2 inspection and analysis 
to be described later. 

[0253] FIG. 8 shows a flowchart representing 
processing pertaining to step 3. The flowchart shows in 
more detail processing pertaining to step SI -3 shown In 

FIG. 1. 

[0254] In step S8-1 , an inspection Is perfonned as to 
whether or not answers include only contradiction, 
through use of the contradiction Inspection means 32. 
In step S8-2. an inspection is performed as to whether 
or not a difference exists between a security policy draft 
and interview results, through use of the difference out- 
put means 38. Here, the interview results comprise a 
virtual information system established on the basis of 
answers to interviews and the virtual infonmation system 
which has been verified by means of actual Inspection 
of a real information system. 

[0255] No specific sequence exists between process- 
ing pertaining to step S8-1 and processing pertaining to 



step S8-2; processing peritaining to step S8-2 may be 
performed first. 

[0256] As mentioned above, according to the present 
embodiment, since the analyzer 30 shown in FIG. 7 is 
5 employed, the user can immediately become aware of 
whether or not answers include a contradiction or 
whether or not a difference exists between answers and 
a real infonnatlon system. 

[0257] Here, the analyzer 30 is a so-called expert sys- 
10 tern. Further, the previously-described means are pref- 
erably Implemented by software which runs on a com- 
puter. 

C-2 Level-2 Actual Inspection and Analysis 

15 

[0258] Through level-2 actual Inspection and analy- 
sis, a difference obtained in level-1 actual Inspection 
and analysis Is classified into one of three categories; 
that Is, a difference In member assignment, a difference 

20 in operating method, and a difference in technical meas- 
ures. For each of the three types of difference, counter- 
measures and priority are analyzed. 
[0259] Example measures for a case where a differ- 
ence In networi< policies and the priority of the measures 

25 will be described. 

(1) Difference 1 

[0260] Type of Difference: Difference in personnel as- 
30 signment 

[0261] Details: The network policy states that an ad- 
ministrator of each network segment Is to be clearly des- 
ignated. However, network segment administrators are 
not cleariy designated in a real information system. 
35 [0262] Measures: Administrators or owners are clear- 
ly allocated to respective network segments. 

Priority: Immediately 



[0263] Type of Difference: Difference in technical 
measures 

[0264] Details: The network policy states that if a 
password to be usedfor user authentication in a network 
has not been used for a long period of time, the pass- 
word should be deleted. However, the real Information 
system has no system for deleting such a password. 
[0265] Measures: Establish a system for deleting a 
50 password assigned to a user account which has not 
been used for 30 days. 

Priority: High 

55 [0266] In the flowchart shown in FIG. 8, step S8-3 cor- 
responds to an operation for determining measures and 
the priority thereof. 

[0267] As mentioned above, the present embodiment 
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^ (2) Difference 2 



30 



35 
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facilitates devising of measures for eliminating a differ- 
ence between answers given in interviews and the real 
infomriation system. Accordingly, a discrepancy be- 
tween a security policy and the real Information system 
Is easily eliminated. 

D Step 4 : Adjustment of Policy and Rules 

[0268] In step 3, the discrepancy between the real In- 
formation system and the security policy draft Is clari- 
fied, and measures for eliminating the discrepancy and 
the priority of the measures are also made dear. In step 
4, measures and actual work are examined. 
[02691 Measures are roughly classified Into two cate- 
gories. 

(1) Adjust the security policy draft so as to match 
the real Infomriation system. 

(2) Adjust operation rules of the real Information 
system. 

[0270] These measures will now be described In de- 
tail. 

D-1 Adjustment of Security Policy Draft 

[0271] As has been described, the security policy 
draft is called a set of global guidelines. The security 
policy draft is prepared by means of appropriate combi- 
nation of basic Items and contents for establishing a 
standard security policy. Several types of global guide- 
lines have already been known. In the present embod- 
iment, rules and policies are extracted from the global 
guidelines, as required, and a security policy Is drafted 
by use of the thus-extracted rules and polices in combi- 
nation. In the drafting phase, the most rigorous global 
guideline is selected from several types of global guide- 
line, and the thus-selected guideline is taken Into a se- 
curity policy draft. 

[0272] Thus, In terms of severity of a rule, global guide 
lines differ from each other according to type. For ex- 
ample, a certain global guide line defines a password 
as being valid for 60 days, whereas another global 
guideline defines a password as being valid 180 days. 
[0273] In the drafting phase, Individual rules are de- 
fined so as to comply with the most rigorous require- 
ments. Some of organizations may consider that rules 
of a security policy draft are unacceptably rigorous, in 
such a case, the rules are preferably changed to less 
rigorous rules. 

[0274] In a case where a rule for defining a single 
password as being valid for 60 days is considered to be 
unacceptably rigorous, the duration of validation of a 
password is changed to 1 80 days after discussions with 
the organization. Thus, a rigorous rule is changed to a 
less rigorous rule. 

[0275] In this way, so long as the severity of each rule 
is changed In consideration of the organization's Intent, 



a security policy matching a real information system can 
be established. 

[0276] A security policy draft is adjusted in the manner 
as mentioned above. 

5 

D-2 Adjustment of Rules ij. 

[0277] On the basis of the measures described In con- 
nection with level-2 inspection and analysis, operation 
10 rules of the real infonnation system are adjusted. Ad- 
justment of rules means modifications to an operating 
method and modifteations to rule settings of a security 
system (e.g., a firewall). 

15 E Step 5: Priority Planning 

[0278] Establishment of a security policy for the real 
information system of an organization Is completed by 
step 4. 

20 [0279] Security measures must be sequentially per- 
f omned In accordance with the thus-established security 
policy, in step 5, measures are examined in considera- 
tion of priority and are described in a list. Preparation of 
such a list enables planning of future security measures, 
and a budget can also be examined on the basis of the 
plan. Without such a list, forecasting costs for future in- 
formation security would be difficult, thus imposing dif- 
ficulty in drawing up a budget. 

[0280] Security measures include training for compel- 
30 ling members to respect a security policy and analysis 
of system logs as well as Introduction and testing of a 
security system. 

[0281] A security policy includes monitoring of a net- 
work, auditing of operations on the basis of a security 

35 policy, and review of a security policy. 

[0282] There may be a case where a security policy 
must be modified in accordance with a change in the 
organization's information system or a change in the op- 
eration of an information system. For this reason, the 

40 security policy must be reviewed periodlcalty. 

F Step 6: Implementation of Security Enhancement 
Measures 

^ [0283] On the basis of the security measures list 
which has been prepared in step 5 in consideration of 
priority, security enhancement measures are actually 
implemented. Security enhancement measures can be 
smoothly Implemented in accordance with the list and 

50 the security policy. 

[0284] In the present embodiment, processing from 
establishment of a security policy to maintenance there- 
of is performed in six steps. Therefore, a security policy 
can be established and implemented stepwise and can 

55 be Implemented in consideration of organization's de- 
sires. 

[0285] As has been described above, according to the 
present Invention, Inquiries are submitted to members 
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of . an organization, and a security policy is established 
on the basis of the resultant answers. Accordingly, ase* 
curity policy can be established easily. 
[0286] Further, a security policy is established step- 
wise, and hence flexible establishment of a security pol- 5 
icy can be implenfiented while taking into consideration 
the organization's desires (e.g., a budget or the like). 
[0287] According to the present Invention, the state of 
infomnatlon security of an organization is diagnosed, so 
that the organization can become aware of the impor- 
tance of information security. 

[0288] Since security measures can be provided to- 
gether with the priority thereof, planning of measures for 
future infomnatlon security becomes easy. Moreover, 
the organization can discuss a budget on the basis of is 
the plan. 

[0289] There are provided a method of efficiently es- 
tablishing a security policy and an apparatus for sup- 
porting establishment of a security policy. According to 
a method of establishing a security policy In six steps, 20 
a simple security policy draft is first prepared. The se- 
curity policy draft is adjusted so as to match realities of 
an organization, as required, thus completing a security 
pplicy stepwise. Therefore, a security policy can be es- 
tablished in consideration of a schedule or budget of the 2s 
organization. 



Claims 

30 

1 . A method of establishing a security policy for a pre- 
determined organization, the method comprising: 

a draft preparation step of preparing a security 
policy draft; 35 
an analysis step of examining a difference be- 
tween the security policy draft and realities of 
the organization; and 

an adjustment step of adjusting the security pol- 
icy draft on the basis of the difference or adjust- 40 
ing operation rules of an actual infomnation sys- 
tem belonging to the organization on the basis 
of the difference. 

2. The method of establishing a security policy accord- 
ing to claim 1 , wherein the draft preparation step 
comprises: 

a preparation step of preparing inquiries to be 
submitted to members of an organization; so 
an inquiry step of submitting the prepared in- 
quiries to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
a drafting step of preparing a security policy ss 
draft on the basis of the answers. 

3. The method of establishing a security policy accord- 



ing to claim 2, wherein the preparation step Involves 
preparation of inquiries on the basis of job specifi- 
cations of members to be inquired. 

4. The method of establishing a security policy accord- 
ing to claim 2, wherein the answer acquisition step 
includes at least one of the steps of: 

integrating the answers acquired from a single 
memberfrom among the acquired answers and 
storing the integrated answers into storage 
means as answers of a single member to be 
inquired; 

re-submitting Inquiries to members if contradic- 
tory answers are included in the answers, to 
thereby resolve contradiction, and .storing the 
answers into the storage means; and 
assigning weights to answers according to job 
specifications of the members to be inquired if 
contradictory answers are Included in the an- 
swers, to thereby detennine answers and store 
the answers into the storage means. 

5. The method of establishing a security policy accord- 
ing to claim 2, wherein the analysis step comprises 
at least one of: 

a contradiction inspection step of Inspecting 
whether or not contradictory answers are in- 
cluded in the answers; 

a first difference detection step of inspecting a 
difference between an Information system vir- 
tually designed on the basis of the answers and 
the security policy, by means of comparison; 
and 

a second difference detection step of verifying 
the virtually-designed Information system by 
means of examination of a real Information sys- 
tem and inspecting a difference between the 
verified Information system and the security 
policy draft by means of comparison. 

6. The method of establishing a security policy accord- 
ing to claim 5, further comprising a measurement 
step of devising measures addressing the inspect- 
ed difference in conjunction with the priority of the 
measures. 

7. The method of establishing a security policy accord- 
ing to claim 1 , further comprising a diagnosis step 
of diagnosing the security state of the organization, 
wherein a result of diagnosis performed In the diag- 
nosis step is submitted to the organization, where- 
with the organization can become conscious of a 
necessity for a security policy. 

8. The method of establishing a security policy accord- 
ing to claim 6, further comprising: 



19 



37 



• 

EP 1 160 643 A2 38 



a priority planning step of planning, in se- 
quence of priority, implementation of the security 
measures which have been devised with priority, 
thereby embodying a budget of the organization. 

9. The method of establishing a security policy accord- 
ing to claim 8, wherein the security measures com- 
prise 

introduction and testing of a security system; 

training for compelling employees to respect a 

security policy; 

analysis of system logs; 

monitoring of a network; 

auditing operations on the basis of the security ' 

policy; and 

reviewing the security policy. 

1 0. The method of establishing a security policy accord- 
ing to claim 8. further comprising: 

a security enhancement measures imple- 
mentation step of implementing the security meas- 
ures In accordance with the plan. 



the answers into the storage means. ^ 

1 4. The method of establishing a security policy accord- 
ing to claim 11 , wherein the establishment step in- 
s voh^es establishment of three types of security pol- 
icies: namely. 

an executive-level security policy which de- 
scribes the organization's concept and policy 
10 conceming infonnatlon security, In conformity 

with global guidelines; 

a corporate-level security policy which de- 
scribes an Information security system embod- 
ying the executive-level security policy; and 
IS a product-level security policy which describes 

measures to Implement the executive-level se- 
curity policy with reference to the corporate-lev- 
el security policy. 

20 1 5. The method of establishing a security policy accord- 
ing to claim 1 4, wherein the corporate-level security 
policy includes two types of corporate-level security 
policies; namely, 
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1 1 . A method of establishing a security policy compris- 
ing: 

a preparation step of preparing inquiries to be 
submitted to members of an organization; 
an inquiry step of submitting the prepared In- 
quiries to the members; 
an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
an establishment step of establishing a security 
policy on the basis of the answers. 

1 2. The method of establishing a security policy accord- 
ing to claim 11, wherein the preparation step in- 
volves preparation of inquiries on the basis of job 
specifications of members to be inquired. 

1 3. The method of establishing a security policy accord- 
ing to claim 1 1 , wherein the answer acquisition step 
includes at teast one of the steps of: 

integrating the answers acquired from a single 
memberfrom among the acquired answers and 
storing the Integrated answers into storage 
means as answers of a single member to be 
Inquired; 

re-submitting Inquiries to members if contradic- 
tory answers are included in the answers, to 
thereby resolve contradiction, and storing the 
answers Into the storage means; and 
assigning weights to answers according to Job 
specifications of the members to be inquired if 
contradictory answers are included In the an- 
swers, to thereby determine answers and store 



25 a top-level security policy describing standards 

for the infonnation security system of the over- 
all organization; and 

a sub-level security policy describing standards 
for individual units constituting the infonnation 
30 security system of the organization. 

16. The method of establishing a security policy accord- 
ing to claim 14, wherein the product-level security 
policy includes two types of product-level policies; 

35 namely, 

a first-level security policy described in hatural 
language; and 

a second-level security policy describing set- 
^0 tings of individual devices constituting the infor- 

mation security system. 

17. The method of establishing a security policy accord- 
ing to claim 1 1 , further comprising an analysis step 

^ of examining a difference between the security pol- 
icy draft and realities of the organization; 

the analysis step further comprising at least 
one of 

a contradiction Inspection step of Inspecting 
whether or not contradictory answers are in- 
cluded in the answers; 

a first difference detection step of Inspecting a 
difference between the security policy and an 
55 Information system virtually designed on the 

basis of the answers, by means of comparison; 
and 

a second difference detection step of verifying 
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the virtually-designed information system by 
means of examination of a real infomriation sys- 
tem and inspecting a difference between the 
verified information system and the security 
policy draft, by means of comparison. 

1 8. The method of establishing a security policy accord- 
ing to claim 1 7, further comprising a measurement 
step of devising measures to the inspected differ- 
ence, in conjunction with the priority of the meas- 
ures. 



an executive-level security policy which de- 
scribes the organization's concept and policy 
concerning Infomnation security, in conformity 
with global guidelines; 

5 a corporate-level security policy which de- 

scribes an information security system embod- 
ying the executive-level security policy; and 
a product-level security policy which describes 
measures to implement the executive-level se- 

10 curlty policy with reference to the corporate-lev- 

el security policy. 



19. An apparatus of establishing a security policy com- 
prising: 

inquiry preparation means for preparing Inquir- 
ies to be submitted to members of an organiza- 
tion; 

1} storage means for storing answers to the inquir- 
ies; 

answer archival storage means for acquiring 
from the members the answers to the inquiries 
and storing the answers into the storage 
means; and 

establishment means for establishing a securi- 
ty policy on the basis of the answers stored in 
the storage means. 

20. The apparatus for establishing a security policy ac- 
cording to claim 1 9, wherein the inquiry preparation 

^ means prepares inquiries to be submitted to the 
members to be Inquired, on the basis of Job speci- 
fications of the members to be Inquired. 

21. The apparatus for establishing a security policy ac- 
cording to claim 19, wherein the answer archival 
storage means 



23. The apparatus for establishing a security policy ac- 
cording to claim 22, wherein the corporate-level se- 
is curity policy includes two types of corporate-level 
security policies; namely, 

a top-level security policy describing standards 
for the Information security system of the over- 
do all organization; and 

a sub-level security policy describing standards 
for individual units constituting the infomnatlon 
security system of the organization. 

25 24. The apparatus for establishing a security policy ac- 
cording to claim 22, wherein the product-level se- 
curity policy includes two types of product-level pol- 
icies; namely, 



30 a first-level security policy described in natural 

language; and 

a second-level security policy describing set- 
tings of Individual devices constituting the Infor- 
mation security system. 

35 

25. A method of assessing the state of security of an 
organization, the method comprising: 



an Inquiry preparation step of preparing inquir- 
40 ies to be submitted to members of an organiza- 

tion; 

an inquiry step of submitting the prepared In- 
quiries to the members; 
an answer acquisition step of acquiring from the 
45 members answers to the inquiries; and 

a security state assessment step of assessing 
the state of security on the basis of the an- 
swers. 



integrates the answers acquired from a single 
member from among the acquired answers and 
stores the integrated answers into the storage 
means as answers of a single member to be 
" inquired; or 

re-submits inquiries to members if contradicto- 
ry answers are included in the answers, to 
thereby resolve contradiction, and stores the 
answers into the storage means; or 
assigns weights to answers according to job 
specifications of the members to be inquired if 
contradictory answers are included in the an- 
swers, to thereby detemnine answers and 
stores the answers into the storage means. 

22. The apparatus for establishing a security policy ac- 
cording to claim 19, wherein the establishment 
means establishes three types of security policies: 
namely, 



50 26. The method of assessing the state of security of an 
organization according to claim 25, wherein the In- 
quiry preparation step involves preparation of in- 
quiries on the basis of job specifications of mem- 
bers to be inquired. 

55 

27. The method of assessing the state of security of an 
organization according to claim 25, wherein the an- 
swer acquisition step involves integration of previ- 
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ous answers and acquired answers in a case where 
the answers are provided by an member to be in- 
quired who has provided answers before, and in- 
volves storage of the Integrated answers Into stor- 
age means as answers from a single member to be 
inquired. 

28. The method of assessing the state of security of an 
organization according to claim 25, wherein the as- 
sessment of a security state Includes 

assessment of security of the organization; 
assessment of security of the other organiza- 
tions Included in an Industry to which the organ- 
ization pertains; and 

the highest security assessment which Is con- 
sidered to be attainable by organizations in the 
industry to which the organization pertains. 



10 
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answers are provided by a member to be inquired 
who has provided answers before, and stores the 
integrated answers Into the storage means as an- 
swers from a single member to be inquired. 

33. The apparatus for assessing the state of security of 
an organization according to claim 30, wherein the 
security effectiveness report includes 

the degree of completeness of the organiza- 
tions security; 

the degree of completeness of security of other 
organizations included in an industry to which 
the organization pertains; and 
the highest degree of completeness of security 
which Is considered to be attainable by organ- 
izations in the industry to which the organiza- 
tion pertains. 



29. The method of assessing the state of security of an 20 
organization according to claim 25, wherein the as- 
sessment of a security state Includes scores as- 
signed to the following Items; namely, 

understanding and attitude concerning securi- 
ty; 

a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to Improve security. so 

30. An apparatus of assessing the state of security of 
an organization, the apparatus comprising: 

preparation means of preparing Inquiries to be 3s 
submitted to members of the organization; 
storage means for storing answers to the inquir- 
ies; 

answer archival storage means of acquiring 
from the members the answers to the Inquiries 40 
and storing the answers into the storage 
means; and 

security effectiveness preparation means for 
preparing a security effectiveness report repre- 
senting the degree of completeness of security, 4s 
on the basis of the answers stored In the stor- 
age means. 

31 . The apparatus for assessing the state of security of 

an organization according to claim 30, wherein the 50 
preparation means prepares Inquiries to be submit- 
ted to the members to be Inquired, on the basis of 
Job specifications of the members to be inquired. 

32. The apparatus for assessing the state of security of ss 
an organization according to claim 30, wherein the 
answer archival storage means integrates previous 
answers and acquired answers in a case where the 



34. The apparatus for assessing the state of security of 
an organization according to claim 30, wherein the 
security effectiveness report includes scores as- 
signed to the following items; namely. 

understanding and attitude concerning securi- 
ty; 

a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. , 

35. An analyzer for analyzing a difference between a 
security policy and an infomnation system of an or- 
ganization, comprising 

contradiction inspection means for inspecting 
whether or not contradiction exists between in- 
dividual answers in response to inquiries sub- 
mitted to members of the organization; and 
contradiction output means for outputting infor- 
mation about the inspected contradiction. 

36. The analyzer for analyzing a difference between a 
security policy and an infomnation system of an or- 
ganization according to claim 35, further compris- 
ing: 

matching means for matching the answers by 
means of elimination of contradiction on the ba- 
sis of the information about contradiction, thus 
producing answers free of contradiction; 
establishment means for virtually establishing 
an information system for the organization on 
the basis of the answers produced by the 
matching means; and 

difference output means for outputting a differ- 
ence between the configuration of the virtually- 
established information system and a security 



22 



43 EP1 160643 A2 

policy, by means of comparison. 

37. The analyzer for analyzing a difference between a 
security policy and an information system of an or- 
ganization according to claim 36, further compris- 
ing: 

real system input means for examining the in- 
f omnation system of the organization and enter- 
ing the configuration of the information system; 
and 

difference output means which verifies the vir- 
tually-established information system by refer- 
ence to the configuration of the information sys- 
tem and outputs a difference between a secu- 
rity policy and the configuration of the virtually- 
established info mnation system which has been 
verified, by means of comparison. 

20 



25 



30 



35 



40 



45 



SO 



10 



23 



EP 1 160 643 A2 



ASSESS EFFECTIVENESS 
OF SECURITY 



, ii^ 

PREPARE SECURITY POLICY DRAFT 



INSPECT AND ANALYZE SYSTEM 



± 

ADJUST POLICY AND RULE 



. ± 

PRIORITY PLANNING 



IMPLEMENT MEASURES 
TO ENHANCE SECURITY 



Fig, 1 

24 



EP1 160 643 A2 



10 



JOB SPECIFICATION 
(QUALIFICATION) 



INQUIRY 



ANSWER 



SECURITY 
EFFECTIVENESS 
ASSESSMENT 
REPORT 
1 



12 



INQUIRY PREPARATION 
MEANS 



16 



ANSWER ARCHIVAL 
STORAGE MEANS 



< — ? 



18 



SECURITY 
EFFECTIVENESS 
PREPARATION 
MEANS 



14 



STORAGE 
_MEANS_ 



Fig.2 



25 



EP 1 160 643 A2 



PREPARE 


1 NQU 1 RY 


> 




SUBMIT INQUIRY 
TO MEMBER 




/ 


ACQUIRE ANSWER 






PREPARE SECURITY 

EFFECT 1 VENESS 
ASSESSMENT REPORT 



S3-1 



S3-2 



S3-3 



'S3-4 



Flg.3 



26 



EP 1 160 643 A2 



20 



JOB SPECIFICATION 
(QUALIFICATION) 
I 



INQUIRY^ 



ANSWER 



SECURITY 
POLICY <- 
DRAFT 




11 



INQUIRY PREPARATION 
MEANS 



26 



24 

I 



ANSWER ARCHIVAL 
STORAGE MEANS 



< — > 



STORAGE 
MEANS. 



28 



DRAFT 
PREPARATION 
MEANS 



Fig, 4 



27 



• 


EP1 160 643 A2 


PREPARE 


INQUIRY 






INQUIRY 




f 


ACQUIRE ANSWER 




f 


PREPARE SECURITY 
POLICY DRAFT 



■S5-1 



S5-2 



S5-3 



S5-4 



Fig, 5 



28 




EP 1 160 643 A2 



TYPE 


DEFINITION 


APPLICATION 
ADMIN ISTRATOR[APP] 


ADMINISTRATOR FOR ADMINISTERING OPERATION OF 
APPLICATIONS OR OPERATION OF GROUP OF APPLICATIONS 


APPLICATION SECURITY 
ADMINISTRATOR [ASA] 


ADMINISTRATOR FOR ADMINISTERING LOCAL SECURITY OF 
APPLICATIONS OR LOCAL SECURITY OF GROUP OF APPLICATIONS 


INTERNAL AUDIT [AUID] 


OFFICER IN CHARGE OF INTERNAL AUDIT 


PRESIDENT/ 

CHIEF EXECUTIVE OFFICER 
[CEO] 


OFFICER OR PRESIDENT HAVING A FINAL AUTHORITY 

TO MAKE DECISIONS AS TO INTERNAL BUSINESS, OPERATION. 

OR GENERAL MATTERS 


CENTRAL INFORMATION 
OFFICER [CIO] 


CENTRAL INFORMATION OFFICER. NOT A MERELY MEMBER 
IN CHARGE OF COMPUTERS. OFFICER IS CHARGED WITH THE 
RESPONSIBILITY FOR PLANNING AND CARRYING OUT 
UTIL ZATiON OF INFORMATION SYSTFMS AS A CORPORATF 
STRATEGY. THE OFFICER IS ALSO THE CHIEF OFFICER OF 
THE INFORMATION AND COMMUNICATION DEPARTMENTS 


DIRECTOR OF 

DISASTER RECOVERY [DDR] 


SENIOR-LEVEL OFFICER IN CHARGE OF RECOVERING 
SYSTEM FROM DISASTER 


DIM -IN ADMINKTRATOR 

[DIR] 


FOR DEPARTMENT 


DIRECTOR OF INFORMATION 
PROTFCTIONrniPl 


INFORMATION SECURITY OFFICER 


UloAoIcK ntOUVcKY 

ADMINISTRATOR[DRA] 


niCACTPD DPrnxyPDv nmoPD rnp AnMiuiQTPQiki/^ Rppoxypov 

UiMOIcn nLUUVcni UrMl/tn rUK AUniNlolcniNU KtOUVcKT 

OF NETWORK SEGMENT. HOST. OR APPLICATIONS FROM DISASTER 


nPP ARTMPWT ^Pn IR 1 TY 

ADMINISTRATOR[DSA] 


^PPIIRITY ARMtMl ^TRATHR PDR ADM 1 Ml ^TPR IMR ^PPIIRITY DP 

NETWORK SEGMENT. HOST. OR APPLICATIONS IN EACH 
DEPARTMENT 


DIRECTOR OF 
CuMMUN 1 CAT 1 UN LDTCJ 


OFFICER IN CHARGE OF PHONE LINE AND ELECTRIC 

i/UMInUri 1 OA 1 1 UN, 1 NtiLUU 1 Nb n 1 Uc nANuc Ur Ncl VfUnlx 

CONNECTION 


FACILITATOR [FAG] 


INTERVIEWER 


FIREWALL ADMINISTRATOR 
[FWA] 


MEMBER WHO ADMINISTERS OPERATION OF A FIREWALL 
HOST SYSTEM 


HUMAN RESOURCES [HR] 


DEPARTMENT IN CHARGE OF HIRING AND TRAINING EMPLOYEES 


HOST ADMIN ISTRATOR[HST] 


ADMINISTRATOR FOR ADMINISTERING OPERATION OF LOCAL HOST 
OR OPERATIONS OF GROUP OF LOCAL HOSTS 


LEGAL OFFICER [LEG] 


LEGAL ADVISER 


NETWORK SEGMENT [NET] 


ADMINISTRATOR FOR ADMINISTERING OPERATION OF 
NETWORK SEGMENT. OR OPERATIONS OF GROUP OF 
NETWORK SEGMENT 


PERSONAL COMPUTER 
ADMINISTRATOR[PCA] 


OPERATION ADMINISTRATOR IN CHARGE OF LOCAL USER 
DESKTOP COMPUTERS 



Fig. 6 
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